> -Original Message-
> From: Jeff Chan [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 5:14 PM
> To: users@spamassassin.apache.org
> Subject: Re: RBL Misfires?
>
>
> It would be useful if you could forward the messages that falsely
> trigger on RBLs, along with name resolution results on the specific
> RBL nearby in time, such as:
>
> > % dig vantagemobility.com.ws.surbl.org
The message is attached.
I ran that exact query against my DNS server, and both my ISPs servers at the
time it happened. Got basically this (nadda):
; <<>> DiG 9.2.1 <<>> vantagemobility.com.ws.surbl.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;vantagemobility.com.ws.surbl.org. IN A
;; AUTHORITY SECTION:
ws.surbl.org. 900 IN SOA a.surbl.org. zone.surbl.org.
1097682081 900 450 604800 900
;; Query time: 247 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:17:27 2004
;; MSG SIZE rcvd: 93
> (and similar lookups on numeric RBLs like
> dig 2.0.0.127.sbl.spamhaus.org)
; <<>> DiG 9.2.1 <<>> 2.0.0.127.sbl.spamhaus.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48647
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.sbl.spamhaus.org.IN A
;; ANSWER SECTION:
2.0.0.127.sbl.spamhaus.org. 7200 IN A 127.0.0.2
;; AUTHORITY SECTION:
sbl.spamhaus.org. 172800 IN NS n.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS r.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS s.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS u.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS v.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS z.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS a.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS b.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS c.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS d.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS e.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS f.ns.spamhaus.org.
sbl.spamhaus.org. 172800 IN NS m.ns.spamhaus.org.
;; Query time: 409 msec
;; SERVER: 10.10.3.2#53(10.10.3.2)
;; WHEN: Wed Oct 13 09:25:29 2004
;; MSG SIZE rcvd: 271
>
> There have been other sporadic reports of RBL misfires, which
> leads me to wonder about the possibility of a rarely hit bug
> somewhere in the RBL code. Unfortunately this kind of thing
> seems hard to debug given the dynamic nature of messages and
> RBLs, but there are enough reports to make me wonder
>
Yeah... I know. I'm not even sure if I have a problem or not. I just recently
turned on the report header for all mail, so that I could at least get a little
more information without getting lost in constant debug output. I'm keeping an
eye on it for now.
The system, btw, is Red Hat 7.3, Sendmail 8.12.11, Spamass-Milter 0.2.0, SA 3.0
(but I also noticed questionable RBL hits with 2.64), and Net::DNS 0.46.
The SA system is configured to use our internal DNS server, which has the
typical default settings, afaik.
I do see cached entries for the RBLs in my DNS system, but when I actually
catch what I believe to be a misfire on an RBL check, I don't see a cache
record for it in my DNS.
One other thing that may be worth mentioning is that all messages come into
sendmail from localhost. MessageWall listens on the wire as a proxy. The only
obvious issue I saw with this is that SPF doesn't work.
> Jeff C.
> --
> Jeff Chan
> mailto:[EMAIL PROTECTED]
> http://www.surbl.org/
>
>
From "Karl Wein" Tue Oct 12 09:55:51 2004
Microsoft Mail Internet Headers Version 2.0
Received: from blacksheep.riconcorp.com ([10.10.3.5]) by pnork.ricon.us with
Microsoft SMTPSVC(6.0.3790.0);
Tue, 12 Oct 2004 09:56:43 -0700
Received: from riconcorp.com (blacksheep.riconcorp.com [127.0.0.1])
by blacksheep.riconcorp.com (8.12.11/8.12.11) with ESMTP id
i9CB3Iu1012753
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 09:56:32 -0700
X-MessageWall-Score: 0 (riconcorp.com)
X-MessageWall-Warning: MIME/REJECT: body part contains disallowed string:
text/html
Received: from [165.251.41.49] by riconcorp.com (MessageWall 1.0.8md) with
SMTP; 12 Oct 2004 16:56:22 -
Received: from jcmwsc09.mwjc.easylink.com (mwsmout-vip-1.mwjc.easylink.com
[165.251.41.105])
by jcmwsm02.mwjc.easylink.com (8.12.9/8.12.9) with ESMTP id
i9CGuLiJ008577
for <[EMAIL PROTECTED]>; Tue, 12 Oct 2004 12:56:21 -0